07:00 AM

Want Turns to Need

Software security is no longer an emerging discipline, and here's why enterprises should care

Software security (also known as application security to some) is less than a decade old. In 1999 when I began to write "Building Secure Software" with John Viega, there were no books and only a few articles for software developers and architects interested in building in security. Lots of tomes and titles now fill the software security bookshelf.

Not surprisingly, software security is now considered a real subsector of computer security and is even tracked by analysts. The Yankee Group estimates that the entire market is worth between $250-275 million, numbers that jive with my own breakdown of the space.

As software security grows from a nice-to-have into a necessity, many companies are trying to determine how to get started. A quick look over the space can provide some answers.

Bigger Toolbox
Last year, the combined software security tools market earned between $90-$100 million. Most of this revenue was earned by black box testing tools, especially those tools created specifically for testing Web software. Black box testing tool vendors earned between $58-$70 million. The leader in the Web application security testing space is Watchfire, which earned close to $30 million last year. The other strong competitor, SPI Dynamics, earned just over $18 million. Lesser companies in the space including Cenzic, Codenomicon, and the like, earned another $10 million or so between them.

My view of black box testing tools, which I call "badness-ometers," is well known. In brief, badness-ometers are great for helping identify and highlight the software security problem -- just don't treat them as security meters. As such, I'm pleased that the market for these tools is robust, having doubled last year and continuing with similar growth into 2007. The best aspect of these tools is that they help companies and developers understand that their software is broken -- an essential activity in a new market like software security. Once this realization hits home, these companies are well positioned to take advantage of code analysis tools and other software security professional services.

If your company has yet to come to grips with software security, a black box testing tool may be just what the doctor ordered. On good days, these tools can find very serious problems with very little up front investment, and in many organizations, identifying the problem is often half the battle.

As badness-ometers continue to spread, they drive demand for solutions that do more than identify the problem. Source-code analysis tools speak to this demand. Last year, code scanners earned around $20 million (more than doubling the 2005 revenue). This market is dominated by Fortify, which earned 10 times more than its closest remaining competitor, Ounce Labs. (Fortify acquired some of the assets of Secure Software early this year.) Klokworks and Coverity, which sell closely related tools, tend to focus more on software quality than software security, so I don't count their revenue in this analysis.

Code scanning tools are often very reasonable places to start for development groups that want to tackle the software security problem, especially in shops that are code intensive.

Services Uptick
Tools like software security testing tools and source code analysis tools don't run themselves, nor do they provide a silver bullet for the software security problem. All told, the software security services market is worth anywhere from $80-$120 million. SPI-Dynamics and Watchfire's offerings are simple and powerful enough to be wielded by workaday testers and developers, but more complex tools work much more effectively when they are properly integrated into an organization.

Large consultancies such as IBM Global Services, Cybertrust, Symantec, and Ernst & Young focus their software security activities on application penetration testing services. Ultimately, these are badness-ometer services. In many cases, they rely on running and reporting the results of a Web application security testing tool.

Boutique consulting shops such as Foundstone and Cigital focus more attention on getting inside the code. These consultancies wield source code scanners, provide training, and also perform architectural risk analysis.

In 2006, services surrounding more complete software security initiatives at the enterprise level came into vogue. These large scale initiatives include training for thousands of developers, the creation of enterprise-specific knowledge and guidance, and the integration of software security best practices (which I call the touchpoints) into the software development lifecycle.

Overcoming Denial
Software security is quickly becoming a business necessity. As I described in last month's column, SOX and PCI compliance activities serve to help corporations better understand their software risk. (See Compliance As Kick-Starter.) Because the impact of software failure (maliciously caused or otherwise) is great, many corporations are already working diligently on software security.

There are many ways to get started. Those corporations serious about tackling the problem -- that is, those corporations with staggering amounts of software security risk -- take on a multi-year enterprise software security initiatives. Microsoft has made plenty of noise and progress with its Trustworthy Computing initiative. Other ISVs, including Oracle and Cisco, are rushing to catch up even as their customers begin to ask hard questions about product security. The financial vertical leads the pack among non-ISV corporations with large scale initiatives underway. The first step in any large initiative is creating a plan based on best practices. Such plans almost always include a heavy training component.

A large initiative may be too much to bite off at once, especially if your company has yet to come to grips with the business reality of the problem. In these cases, getting started with a simple badness-ometer tool is often helpful. These tools can produce eye-opening results of the "oh darn" variety, which in turn provide excellent ammunition to counter challengers who claim "our software is just fine."

Another alternative is hiring a security team to analyze a critical application. The deeper the analysis, the better the results will be; but even a quick and dirty penetration test can serve to get the ball rolling.

Training also makes a great starting point, especially if it is focused on developers and architects. The trick to successful software security training is to make sure that whoever develops and delivers it is a bona fide software person. Years of security of experience will not help without deep knowledge of C, C++, Java, and software architecture. Developers only listen to their own kind.

No matter what the route, there is no longer any excuse to put off software security. Customers are becoming aware of the problem, regulations demand real solutions, and the reactive network security hacks of the past consistently fail.

Computer security spent many years in a reactive stance, with vendors inventing and peddling band-aid solutions like firewalls, antivirus tools, and intrusion detection engines. Only recently has the stark reality of security begun to sink in. We have no alternative but to build security into the software that we depend on to run the modern world.

Gary McGraw is CTO of Cigital Inc. Special to Dark Reading

  • Cenzic
  • Cisco Systems Inc. (Nasdaq: CSCO)
  • Codenomicon Ltd.
  • Coverity Inc.
  • Cybertrust
  • Ernst & Young International
  • Fortify Software Inc.
  • IBM Global Services
  • Microsoft Corp. (Nasdaq: MSFT)
  • Oracle Corp. (Nasdaq: ORCL)
  • Ounce Labs
  • SPI Dynamics
  • Secure Software Inc.
  • Symantec Corp. (Nasdaq: SYMC)
  • Watchfire Corp.

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    20 Questions to Ask Yourself before Giving a Security Conference Talk
    Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
    Why Security Leaders Can't Afford to Be Just 'Left-Brained'
    Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
    Secure Wifi Hijacked by KRACK Vulns in WPA2
    Jai Vijayan, Freelance writer,  10/16/2017
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    Security Vulnerabilities: The Next Wave
    Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
    Flash Poll
    [Strategic Security Report] Assessing Cybersecurity Risk
    [Strategic Security Report] Assessing Cybersecurity Risk
    As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    Published: 2017-05-09
    NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

    Published: 2017-05-08
    unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

    Published: 2017-05-08
    A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

    Published: 2017-05-08
    Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

    Published: 2017-05-08
    Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.